cbcvebase.
CVE-2020-12116
published 2020-05-07

CVE-2020-12116: Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the…

PriorityP180high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
97.42%
99.9th percentile
Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request.

Affected

3 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_opmanager<= 12.3
zohocorpmanageengine_opmanager
zohocorpmanageengine_opmanager

Detection & IOCsextracted from sources · hover to see the quote

urlGET /cachestart/../../../../bin/.ssh_host_rsa_key
path/cachestart/
path../../../../bin/.ssh_host_rsa_key
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zoho ManageEngine OpManager Directory Traversal Attempt (CVE-2020-12116)"; flow:established,to_server; http.request_line; content:"GET /cachestart/"; startswith; pcre:"/^\d{1,6}/R"; content:"/cacheend/apiclient/fluidicv2/javascript/jquery/"; fast_pattern; within:53; pcre:"/^.{0,10}(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-12116.yaml; reference:cve,2020-12116; classtype:web-application-attack; sid:2056376; rev:2; metadata:affected_product Zoho_ManageEngine, created_at 2024_10_01, cve CVE_2020_12116, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1552, mitre_technique_name Unsecured_Credentials; target:dest_ip;)
  • Exploit requests match the pattern GET /cachestart/<digits>/cacheend/apiclient/fluidicv2/javascript/jquery/ followed by directory traversal sequences (../ or URL-encoded variants) to reach arbitrary files.
  • A successful exploitation attempt targeting the SSH host RSA private key will return HTTP 200 with a response body containing 'BEGIN RSA PRIVATE KEY'.
  • The dynamic cache endpoint prefix can be extracted from the server's initial response body via the regex pattern (?m)/cachestart/.*/jquery/ — this value is used to construct the traversal path.
  • Shodan/FOFA/Google dork can be used to identify exposed OpManager Plus instances as potential targets.
  • The attack is unauthenticated and requires no prior session — no authentication headers or cookies are present in the exploit request.
  • ·The traversal path prefix (cachestart segment) is dynamic and must be extracted from the target's HTTP response before constructing the exploit URL — a two-step request is required.
  • ·Vulnerable versions are Stable build before 124196 and Released build before 125125; patched instances will not be exploitable.
  • ·The Snort/ET rule (sid:2056376) requires SSL decryption to be effective against HTTPS-protected OpManager deployments, as indicated by the 'deployment SSLDecrypt' metadata.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.